PHP 7.0 introduced a new interface called SessionUpdateTimestampHandlerInterface.
Few people know or use this interface because it's not even documented on the
official PHP site. The interface defines just two methods, but they allow to
prevent session fixation issues and lazy-write in session handlers:

1
2
3
4
5
6
7
8

interfaceSessionUpdateTimestampHandlerInterface{// Checks if a session identifier already exists or not.publicfunctionvalidateId(string$key):bool;// Updates the timestamp of a session when its data didn't change.publicfunctionupdateTimestamp(string$key,string$val):bool;}

We added this interface to our PHP 7.0 Polyfill component and used it in a
new AbstractSessionHandler base class and a new StrictSessionHandler
wrapper. At the same time, we deprecated the WriteCheckSessionHandler,
NativeSessionHandler and NativeProxy classes and the
session.use_strict_mode option, which now will always be enabled by default.

The memcache PECL extension hasn't released a version in more than 4 years
and the latest release is not compatible with PHP 7. That's why we decided to
deprecate MemcacheSessionHandler, which is also consistent with our decision
to not support Memcache for the Cache and Lock components. Instead of this
deprecated handler, you should use MemcachedSessionHandler, which is based
on the Memcached PHP extension.

In addition, the DbalSessionHandler was also deprecated in favor of
PdoSessionHandler because it lacks all the improvements introduced in the
PdoSessionHandler (lock modes, delayed garbage collector, configurable
naming, etc.) The only advantage it had was the ability to work with non-PDO
drivers. However, given that DBAL now requires PDO as well, this is no longer
relevant.